Hello Sergio,
Am 02.04.2023 um 06:38 schrieb Sergio Durigan Junior:
Source: znc
Version: 1.8.2-3
Severity: important
Hello,
I noticed that ZNC's service file comes with just a few settings that
improve security:
--8<---------------cut here---------------start------------->8---
...
PrivateTmp=true
ProtectSystem=full
ProtectHome=no
PrivateDevices=true
LimitNOFILE=1024
...
--8<---------------cut here---------------end--------------->8---
IMHO, these settings should be improved. Here's what I recommend:
1) "ProtectHome=yes", because ZNC's $HOME is not located inside /home,
so it's OK to make /home, /root and /run/user inaccessible.
Thank you for testing this. ProtectHome is the only thing with a
question mark for me. I think most users are using znc under a normal
user inside home, because running it as a "normal" service was just
added three years ago with 1.7.4-2. So people still running it with an
user inside /home could get problems, if they just adopt the new service
file or using documentations copying this file and using it for their
own user.
What do you think?
--
/*
Mit freundlichem Gruß / With kind regards,
Patrick Matthäi
GNU/Linux Debian Developer
Blog: https://www.linux-dev.org/
E-Mail: pmatth...@debian.org
patr...@linux-dev.org
*/
